Wonder how Data Control Language (DCL) works with ABAP Core Data Services (CDS)?

Recently, I was playing with some of the ABAP CDS views and faced several challenges with authorizations. I do not see many documents online for CDS development as it is relatively new and therefore I have decided to write a blog, which I think, might benefit someone out there.

As you may already aware of, ABAP CDS views run on ABAP Layer and they are not restricted to SAP Hana (i.e. Database independent). ABAP CDS has its own authorization concept based on roles defined with DEFINE ROLE in a DCL source code.

Here is a basic CDS view with data category “dimension”

When I run the CDS view above in Hana Studio, I observed that the query did not fetch the data for Cost Centers.  Why?

Every CDS view has its corresponding SQL View in SE11. In the above example, IFICostCenter is the DDL SQL view for DDL, I_CostCenter

Here is the easy way to find the package where these objects are defined,

Go to SE11 > Enter the view, IFICostCenter > Display

You can find the package name here (highlighted above)

Now open Hana Studio and add the package to your Favorite Package folder,

Once added to your Favorite package > expand Core Data Services and you would see the DDL source codes in Data Definitions folder and DCL sources in Access Controls folder.

Here is an example of a DCL source for Cost Center CDS view

Note: DDL and DCL names must be identical.

Authorization checks are done in DCL source. We should make sure that the authorization object, K_CSKS assigned to users in the back-end (In my case S/4Hana 1511)

Once the authorization object is granted to users, I started seeing the data for cost centers. Bingo!

Note: actvt is the action. In this case 03 – Display 

The annotation @AccessControl.authorizationCheck: #CHECK enforces the authorization check. Authorization check will be ignored if you use #NOT_REQUIRED or #NOT_ALLOWED

Hope this helps